
    <!DOCTYPE HTML>
    <html lang="en" data-template="post-page darkTeal-layer">
    <head>
        
        <!--<sly data-sly-test="false">-->
        
            <link rel="preload" as="script" href="/etc/designs/fortinet/adb-target/at.js"/>
            <script>

                   ;(function(win, doc, style, timeout) {
                   var STYLE_ID = 'at-body-style';
                   function getParent() {
                      return doc.getElementsByTagName('head')[0];
                   }
                   function addStyle(parent, id, def) {
                      if (!parent) {
                      return;
                      }
                      var style = doc.createElement('style');
                      style.id = id;
                      style.innerHTML = def;
                      parent.appendChild(style);
                   }
                   function removeStyle(parent, id) {
                      if (!parent) {
                      return;
                      }
                      var style = doc.getElementById(id);
                      if (!style) {
                      return;
                      }
                      parent.removeChild(style);
                   }
                   addStyle(getParent(), STYLE_ID, style);
                   setTimeout(function() {
                      removeStyle(getParent(), STYLE_ID);
                   }, timeout);
                   }(window, document, "body {opacity: 0 !important}", 3000));
                </script>

            <script type="text/plain" class="optanon-category-C0003" src="/etc/designs/fortinet/adb-target/at.js"></script>
        
        
    <meta charset="UTF-8"/>
    <title>New Rocke Variant Ready to Box Any Mining Challengers</title>
    <meta name="keywords" content="threat intelligence,malware,Cybersecurity Architect,threat research,cryptominer,FortiGuard Labs Threat Research,coin miner"/>
    <meta name="description" content="FortiGuard Labs has been monitoring a Linux coin mining campaign from “Rocke” – a malware threat group specializing in cryptomining. Learn more about the general behavior of the malware as well as new features we have documented."/>
    <meta name="template" content="post-page"/>
    

    <meta name="viewport" content="width=device-width, initial-scale=1"/>


<meta name="google-site-verification" content="tiQ03tSujT2TSsWJ6tNHiiUn8cwYVmdMQrGUCNrPQmo"/>

<meta property="og:site_name" content="Fortinet Blog"/>
<meta property="og:title" content="New Rocke Variant Ready to Box Any Mining Challengers"/>
<meta property="og:url" content="https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers"/>
<meta property="og:type" content="article"/>
<meta property="og:description" content="FortiGuard Labs has been monitoring a Linux coin mining campaign from “Rocke” – a malware threat group specializing in cryptomining. Learn more about the general behavior of the malware as well as …"/>
<meta property="og:image" content="https://www.fortinet.com/content/dam/fortinet-blog/article-images/rocke-threat-blog/rocke-variant-hero.png"/>

<meta property="twitter:card" content="summary"/>
<meta property="twitter:site" content="@Fortinet"/>

<meta property="article:author" content="Joie Salvio"/>

    <meta property="article:section" content="FortiGuard Labs Threat Research"/>


    <meta property="article:published_time" content="2019-05-28T00:00:00.000-07:00"/>


    <meta property="article:tag" content="threat intelligence"/>

    <meta property="article:tag" content="malware"/>

    <meta property="article:tag" content="Cybersecurity Architect"/>

    <meta property="article:tag" content="threat research"/>

    <meta property="article:tag" content="cryptominer"/>

    <meta property="article:tag" content="coin miner"/>


<link rel="shortcut icon" href="/etc/designs/fortinet-blog/favicon.ico"/>

<link rel="canonical" href="https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers"/>










    
<link rel="stylesheet" href="/etc.clientlibs/fortinet-blog/clientlibs/clientlib-base.min.css" type="text/css">






<!-- SEO Script -->




<!-- OneTrust Cookies Consent Notice start for fortinet.com -->



    <script src="https://cdn.cookielaw.org/scripttemplates/otSDKStub.js" data-document-language="true" type="text/javascript" charset="UTF-8" data-domain-script="f85f39fc-d7aa-467a-b762-fbb722748016"></script>
    <script type="text/javascript">

function OptanonWrapper() {
    {
       try{
            $('#cookiescript_injected').remove(); // remove old cookie script
        }catch(e){}
        window.dataLayer.push({
            event: 'OneTrustGroupsUpdated'
        });
        Optanon.InsertScript('//assets.adobedtm.com/launch-EN23cb8375449840dc93b13f34d935b8b9.min.js','head',null, null, '1',true);
    }
}

</script>


<!-- OneTrust Cookies Consent Notice end for fortinet.com -->
    
    
    

    
    

    
    
    
    

    

    

    

    

    






    </head>
    <body>
    



    
<div class="root responsivegrid">


<div class="aem-Grid aem-Grid--12 aem-Grid--default--12 ">
    
    <div class="b1-header aem-GridColumn aem-GridColumn--default--12">


<header class="b1-header__container">
    <div class="b1-header__logo">
        <a href="https://www.fortinet.com">
            
            <img class="desktop-logo" src="/content/dam/fortinet-blog/fortinet-logo-white.svg" alt="Fortinet home"/>
            <img class="mobile-logo" src="/content/dam/fortinet-blog/fortinet-logo-white.svg" alt="Fortinet home"/>
        </a>
    </div>

    <div class="b1-header__cta-list">
      <a class="b1-header__cta-list-item " href="https://www.fortinet.com/blog">
          <span>Blog</span>
      </a>
    </div>

    <div class="b1-header__nav"><div class="b2-navigation">




    <ul class="b2-navigation__list">
        
            <li class="b2-navigation-categories"><div class="b2-navigation__list-item nav-dropdown-title">Categories</div>
                <ul class="navdropdown">
                    
                        <li>
                            <a class="b2-navigation__dropdown__list-item" href="/blog/business-and-technology">
                                <span>Business &amp; Technology </span>
                            </a>
                        </li>
                    
                
                    
                        <li>
                            <a class="b2-navigation__dropdown__list-item" href="/blog/threat-research">
                                <span>FortiGuard Labs Threat Research</span>
                            </a>
                        </li>
                    
                
                    
                        <li>
                            <a class="b2-navigation__dropdown__list-item" href="/blog/industry-trends">
                                <span>Industry Trends</span>
                            </a>
                        </li>
                    
                
                    
                        <li>
                            <a class="b2-navigation__dropdown__list-item" href="/blog/partners">
                                <span>Partners</span>
                            </a>
                        </li>
                    
                
                    
                        <li>
                            <a class="b2-navigation__dropdown__list-item" href="/blog/customer-stories">
                                <span>Customer Stories</span>
                            </a>
                        </li>
                    
                
                    
                        <li>
                            <a class="b2-navigation__dropdown__list-item" href="/blog/psirt-blogs">
                                <span>PSIRT Blogs</span>
                            </a>
                        </li>
                    
                </ul>
            </li>

        
            <li class="m-nav-item">
                <a class="b2-navigation__list-item false" href="/blog/business-and-technology">
                    <span>Business &amp; Technology </span>
                </a>
            </li>
        
            <li class="m-nav-item">
                <a class="b2-navigation__list-item false" href="/blog/threat-research">
                    <span>FortiGuard Labs Threat Research</span>
                </a>
            </li>
        
            <li class="m-nav-item">
                <a class="b2-navigation__list-item false" href="/blog/industry-trends">
                    <span>Industry Trends</span>
                </a>
            </li>
        
            <li class="m-nav-item">
                <a class="b2-navigation__list-item false" href="/blog/partners">
                    <span>Partners</span>
                </a>
            </li>
        
            <li class="m-nav-item">
                <a class="b2-navigation__list-item false" href="/blog/customer-stories">
                    <span>Customer Stories</span>
                </a>
            </li>
        
            <li class="m-nav-item">
                <a class="b2-navigation__list-item false" href="/blog/psirt-blogs">
                    <span>PSIRT Blogs</span>
                </a>
            </li>
        
        
        
            <li>
                <a class="b2-navigation__list-item false" href="/blog/ciso-collective">
                    <span>CISO Collective</span>
                </a>
            </li>
        
    </ul>


    

</div>
</div>

    <div id="blog-site-search" class="b1-header__search" aria-expanded="false"><div class="b3-searchbox">


<form class="b3-searchbox__form" action="/blog/search" method="get">
    <input class="b3-searchbox__input" type="text" name="q" placeholder="Search Blogs"/>
    <button class="b3-searchbox__icon" aria-label="Search" type="submit">
        
    <svg viewBox="0 0 16 16" xmlns="http://www.w3.org/2000/svg">
        <path d="M15.688 14.18l-4.075-4.075C12.36 9.06 12.8 7.78 12.8 6.4 12.8 2.87 9.93 0 6.4 0 2.87 0 0 2.87 0 6.4c0 3.53 2.87 6.4 6.4 6.4 1.38 0 2.66-.44 3.705-1.187l4.075 4.075c.207.208.48.312.753.312.274 0 .547-.104.755-.312.416-.417.416-1.093 0-1.51zM2.133 6.4c0-2.357 1.91-4.267 4.267-4.267s4.267 1.91 4.267 4.267-1.91 4.267-4.267 4.267S2.133 8.757 2.133 6.4z" fill="#fff">
        </path>
    </svg>

    </button>
</form>


    

</div>
</div>

    <button class="b1-header__search-toggle" aria-controls="blog-site-search" aria-label="Search">
        
    <svg viewBox="0 0 16 16" xmlns="http://www.w3.org/2000/svg">
        <path d="M15.688 14.18l-4.075-4.075C12.36 9.06 12.8 7.78 12.8 6.4 12.8 2.87 9.93 0 6.4 0 2.87 0 0 2.87 0 6.4c0 3.53 2.87 6.4 6.4 6.4 1.38 0 2.66-.44 3.705-1.187l4.075 4.075c.207.208.48.312.753.312.274 0 .547-.104.755-.312.416-.417.416-1.093 0-1.51zM2.133 6.4c0-2.357 1.91-4.267 4.267-4.267s4.267 1.91 4.267 4.267-1.91 4.267-4.267 4.267S2.133 8.757 2.133 6.4z">
        </path>
    </svg>

        <div class="b1-header__search-toggle-close">
            <span class="b1-header__search-toggle-close-line"></span>
            <span class="b1-header__search-toggle-close-line"></span>
        </div>
    </button>

    <div class="b1-header__nav-toggle" aria-hidden="true">
        <span class="b1-header__nav-toggle-line"></span>
        <span class="b1-header__nav-toggle-line"></span>
        <span class="b1-header__nav-toggle-line"></span>
    </div>
</header>

    

</div>
<section class="b4-hero aem-GridColumn aem-GridColumn--default--12">



<div class="b4-hero__container" style="background-image:url(/content/dam/fortinet-blog/article-images/rocke-threat-blog/rocke-variant-hero.png);">
    <img class="ratio" alt="New Rocke Variant Ready to Box Any Mining Challengers" aria-hidden="true" src=""/>
    <div class="b4-hero__text text-container">
        <p data-ly-test class="b4-hero__kicker">FortiGuard Labs Threat Research</p>
        
        
        <h1 class="b4-hero__headline">New Rocke Variant Ready to Box Any Mining Challengers</h1>
        
    </div>
</div>
</section>
<section class="b15-blog-meta aem-GridColumn aem-GridColumn--default--12">

<div class="b15-blog-meta__container text-container">
    <span>By </span>

    <span class="b15-blog-meta__author">

        
					

                        

                                  
                                      
                                            
                                              <a href="/blog/search?author=Joie+Salvio">Joie Salvio</a>
                                          
                                          
                                           
                                      
                                  
                          
                    
        
    </span>
    <span class="b15-blog-meta__">
        

              </span>



    <span class="b15-blog-meta__date"> | May 28, 2019</span>
</div>
</section>
<div class="responsivegrid aem-GridColumn aem-GridColumn--default--12">


<div class="aem-Grid aem-Grid--12 aem-Grid--default--12 ">
    
    <div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12">
  <p><b><i>FortiGuard Labs Breaking Threat Research</i></b></p>
<p>FortiGuard Labs has been monitoring a Linux coin mining campaign from <a href="https://security.web.cern.ch/security/advisories/rocke_group/rocke_group.shtml">“Rocke”</a> – a malware threat group specializing in cryptomining. Over the past month we have seen new features constantly being added to the malware. For instance, in their latest major update, they have added a function that exploits systems running the software development automation server <a href="https://jenkins.io/">Jenkins</a> to increase their chance of infecting more systems, thereby generating more profits. In addition, they have also evolved their malware by adding new attack stages, as well as new redundancies in its multi-component execution to make it more dynamic and flexible.</p>
<p>This post will go through the general behaviour of the malware as well as the new features we have documented having been added during our monitoring.</p>


</div>
<div class="cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1">

    
        <noscript data-cmp-image="{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}">
            <img src="/blog/threat-research/rocke-variant-ready-to-box-mining-challengers/_jcr_content/root/responsivegrid/image.img.png/1559062538052/rocke-fig-one.png" alt/>
        </noscript>
    
    


    

</div>
<div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12">
  <p style="text-align: left;"><b>Figure 1: Basic Execution Flow</b></p>


</div>
<div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12">
  <h3><b>Stage1 and Stage2</b></h3>
<p>The malicious bash script components of the malware are hosted in <a href="https://pastebin.com/">Pastebin</a>, with the profile name “SYSTEMTEN”, which is very similar to previous names used by the “Rocke” threat group. It’s worth noting that most of the time there can be several paste links that point to the same script. Presumably, the redundancy is for operational continuity in case, for some reason, other links are removed. The paste links for the scripts seem to change every few days so that manually monitoring the threat can be tedious. Similar redundancies can also be found in other parts of this malware’s behavior.</p>


</div>
<div class="cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--5 aem-GridColumn--offset--default--3">

    
        <noscript data-cmp-image="{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}">
            <img src="/blog/threat-research/rocke-variant-ready-to-box-mining-challengers/_jcr_content/root/responsivegrid/image_1355171984.img.png/1559062628055/rocke-fig-two.png" alt/>
        </noscript>
    
    


    

</div>
<div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12">
  <p><b>Figure 2: Pastebin Profile Hosting the Scripts</b></p>


</div>
<div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12">
  <p>In a nutshell, the infection begins after the execution of the <i>Stage1</i> script, which may be installed to a system through various means, including manual intrusions, lateral movement from previous infections inside the network, from classic automated internet vulnerability scanning, service login brute-forcing, and exploitations.</p>
<p>The sole purpose of the <i>Stage1</i> script is simply to download the <i>Stage2</i> script via either <i>wget</i> or <i>curl</i> command and then execute it.</p>


</div>
<div class="cmp cmp-image aem-GridColumn aem-GridColumn--default--12">

    
        <noscript data-cmp-image="{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}">
            <img src="/blog/threat-research/rocke-variant-ready-to-box-mining-challengers/_jcr_content/root/responsivegrid/image_932297259.img.png/1559062844294/rocke-fig-three.png" alt/>
        </noscript>
    
    


    

</div>
<div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12">
  <p><b>Figure 3: Stage1 Script</b></p>


</div>
<div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12">
  <p>The <i>Stage2 </i>portion of the attack then performs the following:</p>
<ul>
<li>Adds a CRON job that downloads and executes the <i>Stage1 </i>script periodically. In this case, <i>* * * * *</i> means the script will execute every minute.</li>
</ul>


</div>
<div class="cmp cmp-image aem-GridColumn aem-GridColumn--default--12">

    
        <noscript data-cmp-image="{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}">
            <img src="/blog/threat-research/rocke-variant-ready-to-box-mining-challengers/_jcr_content/root/responsivegrid/image_1326516583.img.png/1559062967198/rocke-fig-four.png" alt/>
        </noscript>
    
    


    

</div>
<div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12">
  <p><b>Figure 4: Adding CRON Job for Stage1</b></p>


</div>
<div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12">
  <ul>
<li>Maximizes usage of the system’s processing power by terminating processes related to other miners.</li>
</ul>


</div>
<div class="cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--7 aem-GridColumn--offset--default--2">

    
        <noscript data-cmp-image="{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}">
            <img src="/blog/threat-research/rocke-variant-ready-to-box-mining-challengers/_jcr_content/root/responsivegrid/image_920859021.img.png/1559063016679/rocke-fig-five.png" alt/>
        </noscript>
    
    


    

</div>
<div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12">
  <p><b>Figure 5: Terminating Existing Miners</b></p>


</div>
<div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12">
  <ul>
<li>Downloads the main payload binary appropriate to the system’s architecture (x32/x64). Two different download URLs are assigned to each architecture just in case either of them is inaccessible. It is also interesting to note that there is often a link that contains a timestamp suggesting its upload or compile time.</li>
</ul>


</div>
<div class="cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1">

    
        <noscript data-cmp-image="{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}">
            <img src="/blog/threat-research/rocke-variant-ready-to-box-mining-challengers/_jcr_content/root/responsivegrid/image_1985735977.img.png/1559063083838/rocke-fig-six.png" alt/>
        </noscript>
    
    


    

</div>
<div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12">
  <p><b>Figure 6: Downloading Main Payload</b></p>


</div>
<div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12">
  <p>In older variants, the download links would all lead straight to the binary payload—until just a few days ago, when they decided to add a new loader stage before the actual execution of the payload. In the case of this recent version, some of the links are now serving large python scripts embedded with the base64-encoded ELF binary, which then decompresses and executes the main binary payload.</p>


</div>
<div class="cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--7 aem-GridColumn--offset--default--2">

    
        <noscript data-cmp-image="{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}">
            <img src="/blog/threat-research/rocke-variant-ready-to-box-mining-challengers/_jcr_content/root/responsivegrid/image_848189790.img.png/1559063171107/rocke-fig-seven.png" alt/>
        </noscript>
    
    


    

</div>
<div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12">
  <p><b>Figure 7: New Loader Binary for the Main Payload</b></p>


</div>
<div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12">
  <ul>
<li>The malware is spread laterally by executing the <i>Stage1</i> script and accessing the SSH <i>known_hosts</i> file, which contains SSH hosts that the victim’s system had previously connected to. A second test is performed to verify that public key authentication is possible.</li>
</ul>


</div>
<div class="cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1">

    
        <noscript data-cmp-image="{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}">
            <img src="/blog/threat-research/rocke-variant-ready-to-box-mining-challengers/_jcr_content/root/responsivegrid/image_1855317434.img.png/1559063243836/rocke-fig-eight.png" alt/>
        </noscript>
    
    


    

</div>
<div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12">
  <p><b>Figure 8: Propagating Through SSH known_hosts</b></p>


</div>
<div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12">
  <h3><b>Main Payload</b></h3>
<p>The main binary acts as a manager to the malware’s operation in the system. It ensures that the components are regularly updated, persistent, and hidden from the user. And ultimately, it executes the cryptominer.</p>
<p><b>Compression</b></p>
<p>The main payload is coded in Go Language (GoLang), and at first had been packed with a simple UPX. However, in March of this year, they switched to a “custom” UPX compression simply by changing the packed binaries’ section names to “LSD!”. It is a simple trick, but it can be very effective in evading file-based detection due to the fact that in most cases, engines can only decompress UPX-compressed files with proper headers. </p>


</div>
<div class="cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1">

    
        <noscript data-cmp-image="{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}">
            <img src="/blog/threat-research/rocke-variant-ready-to-box-mining-challengers/_jcr_content/root/responsivegrid/image_412240290.img.png/1559063377343/rocke-fig-nine.png" alt/>
        </noscript>
    
    


    

</div>
<div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12">
  <p><b>Figure 9: Malware Switches to Custom UPX</b></p>


</div>
<div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12">
  <p><b>Persistence and Stealth Mechanisms</b></p>
<p>This malware employs multiple persistence and stealth mechanisms to ensure its mining operation in an infected system.</p>
<p>It adds the service netdns to ensure that the payload binary, /usr/sbin/kerberods, executes on boot up.</p>


</div>
<div class="cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1">

    
        <noscript data-cmp-image="{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}">
            <img src="/blog/threat-research/rocke-variant-ready-to-box-mining-challengers/_jcr_content/root/responsivegrid/image_688957382.img.png/1559063451861/rocke-fig-ten.png" alt/>
        </noscript>
    
    


    

</div>
<div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12">
  <p><b>Figure 10: Init Scripts for the Malware Service</b></p>


</div>
<div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12">
  <p>Several CRON jobs have also been added that regularly download and execute the <i>Stage1 </i>script. This keeps the components updated to new developments from the threat developers. In older versions, these Pastebin URLs were all straightforward and hardcoded in the binary. In more recent variants, however, the Pastebin IDs have become more dynamic. Another stage was also added in the form of a new Pastebin URL where the IDs can be obtained. In case this URL is inaccessible, however, a hardcoded ID is still available for the malware to use.</p>


</div>
<div class="cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1">

    
        <noscript data-cmp-image="{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}">
            <img src="/blog/threat-research/rocke-variant-ready-to-box-mining-challengers/_jcr_content/root/responsivegrid/image_2088510645.img.png/1559063560888/rocke-fig-eleven.png" alt/>
        </noscript>
    
    


    

</div>
<div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12">
  <p><b>Figure 11: Added CRON Jobs Pointing to the Stage1 Script</b></p>


</div>
<div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12">
  <p>To hide its mining operation, a hooking library (<i>usr/local/lib/&lt;filename&gt;.so</i>) is installed for dynamic library preloading. It does this by adding the library’s path to <i>ld.preload.so</i>. In effect, the library is loaded to all new processes.</p>
<p>The library’s filename is obtained by randomly choosing from a list of hardcoded strings in the binary, contrary to the older variants that simply used one hardcoded filename. The image below shows just a few of the filenames that it can use.</p>


</div>
<div class="cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--7 aem-GridColumn--offset--default--2">

    
        <noscript data-cmp-image="{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}">
            <img src="/blog/threat-research/rocke-variant-ready-to-box-mining-challengers/_jcr_content/root/responsivegrid/image_1780224013.img.png/1559063709424/rocke-fig-twelve.png" alt/>
        </noscript>
    
    


    

</div>
<div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12">
  <p><b>Figure 12: Snippet of filename List</b></p>


</div>
<div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12">
  <p>In a nutshell, the malware’s library component hooks functions so that any application trying to access information related to the malware will be presented with a fake result. These functions are related to the listing of files, network activities, processes, and CPU usage information. </p>


</div>
<div class="cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--5 aem-GridColumn--offset--default--3">

    
        <noscript data-cmp-image="{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}">
            <img src="/blog/threat-research/rocke-variant-ready-to-box-mining-challengers/_jcr_content/root/responsivegrid/image_1009048518.img.png/1559063771246/rocke-fig-thirteen.png" alt/>
        </noscript>
    
    


    

</div>
<div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12">
  <p><b>Figure 13: Library with Hooked Functions Highlighted</b></p>


</div>
<div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12">
  <p>For instance, if an application is trying to list a directory where a component of the malware resides, the library ensures that the malicious file will not be included in the result. To achieve this, the malware hooks the <i>fopen </i>API<i>. </i>The same principle applies to the other artifacts related to it, adding difficulty for victims to discover and remove the malware.</p>


</div>
<div class="cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--7 aem-GridColumn--offset--default--2">

    
        <noscript data-cmp-image="{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}">
            <img src="/blog/threat-research/rocke-variant-ready-to-box-mining-challengers/_jcr_content/root/responsivegrid/image_1047278228.img.png/1559063857685/rocke-fig-fourteen.png" alt/>
        </noscript>
    
    


    

</div>
<div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12">
  <p><b>Figure 14: Hook Function For fopen</b></p>


</div>
<div class="cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--7 aem-GridColumn--offset--default--2">

    
        <noscript data-cmp-image="{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}">
            <img src="/blog/threat-research/rocke-variant-ready-to-box-mining-challengers/_jcr_content/root/responsivegrid/image_2138816150.img.png/1559063919055/rocke-fig-fifteen.png" alt/>
        </noscript>
    
    


    

</div>
<div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12">
  <p><b>Figure 15: Hidden Library Function</b></p>


</div>
<div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12">
  <p>In the case of concealing actual CPU statistics, if an application attempts to read the <i>/proc/stat </i>file, the function <i>force_proc_cpu </i>is called to return a hardcoded statistic showing a 0% CPU usage.</p>


</div>
<div class="cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--7 aem-GridColumn--offset--default--2">

    
        <noscript data-cmp-image="{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}">
            <img src="/blog/threat-research/rocke-variant-ready-to-box-mining-challengers/_jcr_content/root/responsivegrid/image_641439724.img.png/1559064072651/rocke-fig-sixteen.png" alt/>
        </noscript>
    
    


    

</div>
<div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12">
  <p><b>Figure 16: Function that Returns the Fake proc/stat</b></p>


</div>
<div class="cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--7 aem-GridColumn--offset--default--2">

    
        <noscript data-cmp-image="{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}">
            <img src="/blog/threat-research/rocke-variant-ready-to-box-mining-challengers/_jcr_content/root/responsivegrid/image_712397229.img.png/1559064130100/rocke-fig-seventeen.png" alt/>
        </noscript>
    
    


    

</div>
<div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12">
  <p><b>Figure 17: <i>top </i>Tool Display Before and After the Malicious Library is Preloaded</b><u></u></p>


</div>
<div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12">
  <p><b>Propagation</b></p>
<p>In earlier versions deployed in this campaign, this malware spread through a classic credential brute-force method targeting SSH (port 22) and Redis (port 6379) services. Basically, it scanned every IP address in the network and attempted to establish a session to these services using a long hardcoded list of credentials.</p>
<p>However, around a month ago, the threat actors started targeting systems that run Jenkins by attempting to exploit <a href="https://jenkins.io/security/advisory/2018-12-05/">CVE-2018-1000861</a> and <a href="https://jenkins.io/security/advisory/2019-01-08/#SECURITY-1266">CVE-2019-1003000</a>. </p>


</div>
<div class="cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1">

    
        <noscript data-cmp-image="{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}">
            <img src="/blog/threat-research/rocke-variant-ready-to-box-mining-challengers/_jcr_content/root/responsivegrid/image_479390399.img.png/1559065127291/rocke-fig-eighteen.png" alt/>
        </noscript>
    
    


    

</div>
<div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12">
  <p><b>Figure 18: Propagate via CVE-2019-1003000</b></p>


</div>
<div class="cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1">

    
        <noscript data-cmp-image="{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}">
            <img src="/blog/threat-research/rocke-variant-ready-to-box-mining-challengers/_jcr_content/root/responsivegrid/image_1952582165.img.png/1559065180306/rocke-fig-nineteen.png" alt/>
        </noscript>
    
    


    

</div>
<div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12">
  <p><b>Figure 19: Propagate via CVE-2018-1000861</b></p>


</div>
<div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12">
  <p><b>Miner</b></p>
<p>This campaign uses the open-source <a href="https://github.com/xmrig/xmrig">XMRig</a> CPU miner. In older versions, a separate configuration file was dropped to the system with all the information included, including the wallet address of the threat actors and the mining pool that they use.<b> </b></p>


</div>
<div class="cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--7 aem-GridColumn--offset--default--2">

    
        <noscript data-cmp-image="{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}">
            <img src="/blog/threat-research/rocke-variant-ready-to-box-mining-challengers/_jcr_content/root/responsivegrid/image_504045356.img.png/1559065246661/rocke-fig-twenty.png" alt/>
        </noscript>
    
    


    

</div>
<div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12">
  <p><b>Figure 20: Miner Config from Older Versions</b></p>


</div>
<div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12">
  <p>In these latest versions, the configuration is now embedded in the binary. The malware now uses a proxy server <i>systemten.org:51640, </i>(most probably running an <a href="https://github.com/xmrig/xmrig-proxy">xmrig-proxy</a> service) for the mining traffic, where the wallet address and mining pool are configured. This means the infected host miners are not required to have the parameters, thereby effectively hiding the details for further investigation. Note that the port may change depending on the variant.</p>


</div>
<div class="cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--7 aem-GridColumn--offset--default--2">

    
        <noscript data-cmp-image="{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}">
            <img src="/blog/threat-research/rocke-variant-ready-to-box-mining-challengers/_jcr_content/root/responsivegrid/image_1032212271.img.png/1559065323908/rocke-fig-twenty-one.png" alt/>
        </noscript>
    
    


    

</div>
<div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12">
  <p><b>Figure 21: Embedded Miner Configuration with the Mining Pool Proxy</b></p>


</div>
<div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12">
  <h3><b>Conclusion</b></h3>
<p>Through constant monitoring, we have observed that this is a very active campaign, often pushing multiple updates in a single day to add more features to their cryptomining scheme.</p>
<p>By utilizing a hook library, it is more complicated for users to manually detect and remove the infection from their systems, giving the threat actors more time to generate profit. We have also observed that they have started to add features to expand their infection by targeting system vulnerabilities, and given the recent rate of development, it’s likely that they will be adding more of these in the near future.</p>
<p>As always, FortiGuard Labs will be on the lookout for this campaign.</p>
<p>-= FortiGuard Lion Team =-</p>
<h3><b>Solutions</b></h3>
<p>Fortinet customers are protected by the following solutions:</p>
<ul>
<li>The Jenkins exploits are detected by our IPS signature <i>Jenkins.Script.Plugin.Authenticated.Remote.Command.Execution</i></li>
<li>The traffic to the  xmrig-proxy can be blocked using the application control signature <i>Bitcoin.Cryptocurrency.Miner</i></li>
<li>All malicious samples are detected as Linux/Agent.BQ!tr</li>
<li>The miner’s proxy server is blocked by FortiGuard Web Filtering Service.</li>
</ul>
<h3><b>IOCs</b></h3>
<p><b><i>Files</i></b></p>
<p>fbbb28ed10c792b4a29748795cba26f78d28cf13d8b7b042d6de4f3ea1401399<br />
3a6271a90d0f6cc8a2d31d45d931e8401f13f7377932ba07d871dc42f252b9ca<br />
63c7f944bf8b9f4db9a8cf6d47a6d4026bba776478c1315c2888ecff603d73a1<br />
1608899ff3bd9983df375fd836464500f160f6305fcc35cfb64abbe94643c962<br />
f6712249b3c27772daf815d459577c2c88a3aef6b66dfd0986ac9277a8bb35e1<br />
ea682b4aa3885657fe15f76cc3f97322547ca21f347069cd3c78b152a0155781<br />
5eda73b869c22f92c78547995acbba5ff794ea24f5da72af2d653600411d6c97<br />
3f8683fa08a5ae5964f4ee4962465b16c12075480e24a269d151ce1130c77d8c<br />
b383d0fdfa5036ccfa5d9c2b43cbfd814bce8778978873057b86678e5295fc61</p>
<p><b><i>URLs</i></b></p>
<p>systemten.org<br />
https://pastebin[.]com/raw/Xu86DLj0<br />
https://pastebin[.]com/raw/0DqEa3Gn<br />
https://pastebin[.]com/raw/Ei4z3RQ7<br />
hTTps://pastebin[.]com/raw/XiUrwYe9<br />
https://pastebin[.]com/raw/rPB8eDpu<br />
https://pastebin[.]com/raw/HWBVXK6H </p>
<p><i>Learn more about <a href="https://www.fortinet.com/fortiguard/threat-intelligence/threat-research.html?utm_source=nreleaseblog&amp;utm_campaign=2018-q2-fortiguardlabs-cta">FortiGuard Labs</a> and the FortiGuard Security Services <a href="https://www.fortinet.com/support-and-training/support-services/fortiguard-security-subscriptions.html?utm_source=blog&amp;utm_campaign=2018-blog-security-services">portfolio</a>. <a href="https://www.fortinet.com/fortiguard/threat-intelligence/threat-research.html?utm_source=nreleaseblog&amp;utm_campaign=2018-q2-fortiguardlabs-cta">Sign up</a> for our weekly FortiGuard Threat Brief. </i></p>
<p><i>Read about the FortiGuard <a href="https://www.fortinet.com/support-and-training/support-services/fortiguard-security-subscriptions/security-rating.html?utm_source=blog&amp;utm_campaign=2018-blog-security-rating-service">Security Rating Service</a>, which provides security audits and best practices.</i> </p>


</div>
<div class="raw-import aem-GridColumn aem-GridColumn--default--12">
<div class="text-container"><div id="om-qxx1b0gslklfu2kjckea-holder"></div> </div>
</div>

    
</div>
</div>
<div class="b16-blog-tags aem-GridColumn aem-GridColumn--default--12">



  <div class="b16-blog-tags__container text-container" style="display:none">
    <span class="b16-blog-tags__headline">Tags:</span>
    <p class="b16-blog-tags__tag-links">
      <a href="https://www.fortinet.com/blog/tags-search.html?tag=threat-intelligence">threat intelligence</a>, 
    
      <a href="https://www.fortinet.com/blog/tags-search.html?tag=malware">malware</a>, 
    
      <a href="https://www.fortinet.com/blog/tags-search.html?tag=cybersecurity-architect">Cybersecurity Architect</a>, 
    
      <a href="https://www.fortinet.com/blog/tags-search.html?tag=threat-research">threat research</a>, 
    
      <a href="https://www.fortinet.com/blog/tags-search.html?tag=cryptominer">cryptominer</a>, 
    
      <a href="https://www.fortinet.com/blog/tags-search.html?tag=coin-miner">coin miner</a>
    </p>
  </div>

</div>
<section class="b12-related aem-GridColumn aem-GridColumn--default--12">




<div class="b12-related__container text-container">
    

    
    
    <h3>Related Posts</h3>
    <div class="b12-related__posts">
        
        <a href="/blog/threat-research/closer-look-satan-ransomwares-propagation-technics" class="b12-related__post b12-related__post-0">
            <div class="b12-related__image" style="background-image:url(/content/dam/fortinet-blog/article-images/satan-ransomware-blog/satan-ransomware-blog-img.png.thumb.319.319.png);">
                <img class="ratio" alt="A Closer Look at Satan Ransomware’s Propagation Techniques" aria-hidden="true" src=""/>
            </div>

            <div class="b12-related__text">
                <p class="b12-related__category">
                    FortiGuard Labs Threat Research
                </p>
                <h5 class="b12-related__title">A Closer Look at Satan Ransomware’s Propagation Techniques</h5>
            </div>
        </a>
    
    
        
        <a href="/blog/threat-research/malicious-use-of-pastebin" class="b12-related__post b12-related__post-1">
            <div class="b12-related__image" style="background-image:url(/content/dam/fortinet-blog/article-images/pastebin-threat-blog/pastebin-threat-blog-img.png.thumb.319.319.png);">
                <img class="ratio" alt="The Malicious Use of Pastebin" aria-hidden="true" src=""/>
            </div>

            <div class="b12-related__text">
                <p class="b12-related__category">
                    FortiGuard Labs Threat Research
                </p>
                <h5 class="b12-related__title">The Malicious Use of Pastebin</h5>
            </div>
        </a>
    
    
        
        <a href="/blog/threat-research/looking-into-anatova-ransomware" class="b12-related__post b12-related__post-2">
            <div class="b12-related__image" style="background-image:url(/content/dam/fortinet-blog/article-images/anatova-ransomware/anatova-blog-two.png.thumb.319.319.png);">
                <img class="ratio" alt="Looking Into Anatova Ransomware" aria-hidden="true" src=""/>
            </div>

            <div class="b12-related__text">
                <p class="b12-related__category">
                    FortiGuard Labs Threat Research
                </p>
                <h5 class="b12-related__title">Looking Into Anatova Ransomware</h5>
            </div>
        </a>
    
    </div>
</div>


</section>
<div class="b13-comment-section aem-GridColumn aem-GridColumn--default--12">


<div class="b13-comment-section__container text-container">


  <!--data-sly-test="true - got replaced with false to disable the discussion event-->
  
</div>
</div>
<div class="b6-footer aem-GridColumn aem-GridColumn--default--12">


  

  <div class="b6-footer__container text-container">
    <div class="b6-footer__footer-info">
      <div class="b6-footer__logo">
        <a href="https://www.fortinet.com" target="_blank">
          <img src="/content/dam/fortinet-blog/fortinet-logo-white.svg" alt="Fortinet"/>
        </a>
      </div>
      <div class="b6-footer__social-footer">
        <ul>
          
            <li class="social-icon facebook">
              <a href="https://www.facebook.com/fortinet" target="_blank">
                
    <svg viewBox="0 0 9 18" xmlns="http://www.w3.org/2000/svg">
        <path d="M8.934.758v3.385H7.24c-.583 0-.845.685-.845 1.27v2.114h2.54v3.385h-2.54v6.77H3.01v-6.77H.472V7.527H3.01V4.143c0-1.87 1.516-3.385 3.385-3.385h2.54z" fill-opacity=".8" fill="#fff" fill-rule="evenodd"></path>
    </svg>

              </a>
            </li>
          
            <li class="social-icon twitter">
              <a href="https://www.twitter.com/fortinet" target="_blank">
                
    <svg viewBox="0 0 19 15" xmlns="http://www.w3.org/2000/svg">
        <path d="M18.17 2.296c-.652.296-1.354.49-2.082.584.745-.448 1.32-1.16 1.59-2.014-.702.423-1.48.72-2.3.89-.67-.73-1.61-1.152-2.675-1.152-1.988 0-3.613 1.625-3.613 3.63 0 .288.034.567.093.83-3.012-.153-5.694-1.6-7.48-3.792-.313.534-.49 1.16-.49 1.82 0 1.26.634 2.377 1.616 3.012-.61 0-1.16-.17-1.65-.423v.03c0 1.76 1.25 3.237 2.91 3.567-.31.084-.63.127-.96.127-.23 0-.46-.026-.68-.07.455 1.43 1.784 2.497 3.383 2.52-1.235.984-2.8 1.56-4.51 1.56-.288 0-.575-.018-.863-.05 1.61 1.03 3.52 1.632 5.57 1.632 6.667 0 10.33-5.534 10.33-10.332 0-.16 0-.313-.007-.474.71-.508 1.32-1.15 1.81-1.888z" fill-opacity=".8" fill="#fff" fill-rule="evenodd"></path>
    </svg>

              </a>
            </li>
          
            <li class="social-icon youtube">
              <a href="https://www.youtube.com/channel/UCJHo4AuVomwMRzgkA5DQEOA?sub_confirmation=1" target="_blank">
                
    <svg viewBox="0 0 18 14" xmlns="http://www.w3.org/2000/svg">
        <path d="M7.472 11.027V3.412L12.55 7.22l-5.08 3.806zM15.934.787C15.426.62 12.294.45 9.164.45c-3.13 0-6.26.16-6.77.322-1.32.44-1.69 3.4-1.69 6.447 0 3.03.37 6 1.69 6.43.51.17 3.64.33 6.77.33 3.13 0 6.262-.16 6.77-.33 1.32-.43 1.692-3.4 1.692-6.44 0-3.047-.372-6-1.692-6.43z" fill-opacity=".8" fill="#fff" fill-rule="evenodd"></path>
    </svg>

              </a>
            </li>
          
            <li class="social-icon linkedin">
              <a href="https://www.linkedin.com/company/fortinet" target="_blank">
                
    <svg viewBox="0 0 16 16" xmlns="http://www.w3.org/2000/svg">
        <path d="M15.934 15.835H12.55v-5.712c0-.897-1.008-1.64-1.905-1.64s-1.48.743-1.48 1.64v5.712H5.78V5.68h3.385v1.693c.558-.905 1.996-1.49 2.96-1.49 2.116 0 3.81 1.727 3.81 3.817v6.135zm-11.846 0H.703V5.68h3.385v10.155zM2.395.605c.935 0 1.693.757 1.693 1.69 0 .936-.758 1.694-1.693 1.694S.703 3.23.703 2.29C.703 1.36 1.46.6 2.395.6z" fill-opacity=".8" fill="#fff" fill-rule="evenodd"></path>
    </svg>

              </a>
            </li>
          
            <li class="social-icon instagram">
              <a href="https://www.instagram.com/fortinet/" target="_blank">
                
    <svg viewBox="0 0 32 32" xmlns="http://www.w3.org/2000/svg">
        <path class="st0" d="M16,3.7c4,0,4.5,0,6.1,0.1c1.5,0.1,2.3,0.3,2.8,0.5c0.7,0.3,1.2,0.6,1.7,1.1c0.5,0.5,0.8,1,1.1,1.7
          c0.2,0.5,0.4,1.3,0.5,2.8c0.1,1.6,0.1,2.1,0.1,6.1s0,4.5-0.1,6.1c-0.1,1.5-0.3,2.3-0.5,2.8c-0.3,0.7-0.6,1.2-1.1,1.7
          c-0.5,0.5-1,0.8-1.7,1.1c-0.5,0.2-1.3,0.4-2.8,0.5c-1.6,0.1-2.1,0.1-6.1,0.1s-4.5,0-6.1-0.1c-1.5-0.1-2.3-0.3-2.8-0.5
          c-0.7-0.3-1.2-0.6-1.7-1.1c-0.5-0.5-0.8-1-1.1-1.7c-0.2-0.5-0.4-1.3-0.5-2.8C3.7,20.5,3.7,20,3.7,16s0-4.5,0.1-6.1
          c0.1-1.5,0.3-2.3,0.5-2.8C4.6,6.5,4.9,6,5.4,5.4c0.5-0.5,1-0.8,1.7-1.1c0.5-0.2,1.3-0.4,2.8-0.5C11.5,3.7,12,3.7,16,3.7 M16,1
          c-4.1,0-4.6,0-6.2,0.1C8.2,1.2,7.1,1.4,6.2,1.8c-1,0.4-1.8,0.9-2.7,1.7C2.7,4.4,2.2,5.2,1.8,6.2c-0.4,1-0.6,2-0.7,3.6
          C1,11.4,1,11.9,1,16c0,4.1,0,4.6,0.1,6.2c0.1,1.6,0.3,2.7,0.7,3.6c0.4,1,0.9,1.8,1.7,2.7c0.8,0.8,1.7,1.3,2.7,1.7
          c1,0.4,2,0.6,3.6,0.7C11.4,31,11.9,31,16,31s4.6,0,6.2-0.1c1.6-0.1,2.7-0.3,3.6-0.7c1-0.4,1.8-0.9,2.7-1.7c0.8-0.8,1.3-1.7,1.7-2.7
          c0.4-1,0.6-2,0.7-3.6C31,20.6,31,20.1,31,16s0-4.6-0.1-6.2c-0.1-1.6-0.3-2.7-0.7-3.6c-0.4-1-0.9-1.8-1.7-2.7
          c-0.8-0.8-1.7-1.3-2.7-1.7c-1-0.4-2-0.6-3.6-0.7C20.6,1,20.1,1,16,1L16,1z" fill-opacity=".8" fill="#fff" fill-rule="evenodd"></path>
        <path class="st0" d="M16,8.3c-4.3,0-7.7,3.4-7.7,7.7s3.4,7.7,7.7,7.7s7.7-3.4,7.7-7.7S20.3,8.3,16,8.3z M16,21c-2.8,0-5-2.2-5-5
          s2.2-5,5-5s5,2.2,5,5S18.8,21,16,21z" fill-opacity=".8" fill="#fff" fill-rule="evenodd"></path>
        <circle class="st0" cx="24" cy="8" r="1.8" fill-opacity=".8" fill="#fff" fill-rule="evenodd"></circle>
    </svg>

              </a>
            </li>
          
            <li class="social-icon rss">
              <a href="https://www.fortinet.com/rss-feeds.html" target="_blank">
                
    <svg viewBox="0 0 18 18" xmlns="http://www.w3.org/2000/svg">
        <path d="M3.072 17.68c-1.27 0-2.37-1.1-2.37-2.368 0-1.27 1.1-2.37 2.37-2.37s2.37 1.1 2.37 2.37-1.016 2.37-2.37 2.37zM.702.76v2.538c7.955 0 14.386 6.43 14.386 14.385h2.538C17.626 8.336 10.05.76.703.76zm0 5.162V8.46c5.078 0 9.224 4.146 9.224 9.223h2.54c0-6.514-5.248-11.76-11.763-11.76z" fill-opacity=".8" fill="#fff" fill-rule="evenodd"></path>
    </svg>

              </a>
            </li>
          
        </ul>
      </div>
    </div>
    <div class="b6-footer__footer-links">
      
        <div class="b6-footer__footer-links-column">
          <h4 class="b6-footer__header">News &amp; Articles</h4>
          <ul>
            
              <li>
                <a href="https://www.fortinet.com/corporate/about-us/newsroom/press-releases.html" target="_self">News Releases</a>
              </li>
            
              <li>
                <a href="https://www.fortinet.com/corporate/about-us/newsroom/news.html" target="_blank">News Articles</a>
              </li>
            
          </ul>
        </div>
      
        <div class="b6-footer__footer-links-column">
          <h4 class="b6-footer__header">Security Research</h4>
          <ul>
            
              <li>
                <a href="https://www.fortinet.com/fortiguard/threat-intelligence/threat-research.html" target="_self">Threat Research</a>
              </li>
            
              <li>
                <a href="https://fortiguard.com/" target="_self">FortiGuard Labs</a>
              </li>
            
              <li>
                <a href="https://www.fortinet.com/fortiguard/threat-intelligence/threat-map.html" target="_self">Threat Map</a>
              </li>
            
              <li>
                <a href="https://www.fortinet.com/solutions/ransomware.html" target="_self">Ransomware Prevention</a>
              </li>
            
          </ul>
        </div>
      
        <div class="b6-footer__footer-links-column">
          <h4 class="b6-footer__header">Connect With Us</h4>
          <ul>
            
              <li>
                <a href="https://community.fortinet.com/" target="_blank">Fortinet Community</a>
              </li>
            
              <li>
                <a href="https://www.fortinet.com/partners/partner-program/become-a-fortinet-partner" target="_blank">Partner Portal</a>
              </li>
            
              <li>
                <a href="https://investor.fortinet.com/" target="_blank">Investor Relations</a>
              </li>
            
              <li>
                <a href="https://www.fortinet.com/corporate/about-us/product-certifications" target="_blank">Product Certifications</a>
              </li>
            
          </ul>
        </div>
      
        <div class="b6-footer__footer-links-column">
          <h4 class="b6-footer__header">Company</h4>
          <ul>
            
              <li>
                <a href="https://www.fortinet.com/corporate/about-us/about-us" target="_blank">About Us</a>
              </li>
            
              <li>
                <a href="https://www.fortinet.com/corporate/about-us/executive-management" target="_self">Exec Mgmt</a>
              </li>
            
              <li>
                <a href="https://www.fortinet.com/corporate/careers" target="_self">Careers</a>
              </li>
            
              <li>
                <a href="https://www.fortinet.com/nse-training" target="_self">Training</a>
              </li>
            
              <li>
                <a href="https://www.fortinet.com/corporate/about-us/events" target="_self">Events</a>
              </li>
            
              <li>
                <a href="https://www.fortinet.com/corporate/about-us/industry-awards" target="_self">Industry Awards</a>
              </li>
            
              <li>
                <a href="https://www.fortinet.com/corporate/about-us/corporate-social-responsibility" target="_self">Social Responsibility</a>
              </li>
            
              <li>
                <a href="/resources/cyberglossary" target="_self">CyberGlossary</a>
              </li>
            
              <li>
                <a href="https://www.fortinet.com/sitemap" target="_self">Sitemap</a>
              </li>
            
              <li>
                <a href="https://www.fortinet.com/blog/blog-sitemap" target="_self">Blog Sitemap</a>
              </li>
            
          </ul>
        </div>
      
      <div class="b6-footer__contact-info">
        <h4 class="b6-footer__header">Contact Us</h4>
        <ul>
          <li>(866) 868-3678</li>
        </ul>
      </div>
    </div>
    <div class="b6-footer__copyright">
      <div class="b6-footer__copyright-info">
        <p class="b6-footer__copyright-text">Copyright © 2023 Fortinet, Inc. All Rights Reserved</p>
        
          <a class="b6-footer__copyright-link" href="https://www.fortinet.com/corporate/about-us/legal.html" target="_blank">Terms of Services</a>
        
          <a class="b6-footer__copyright-link" href="https://www.fortinet.com/corporate/about-us/privacy.html" target="_blank">Privacy Policy</a>
        
        <span class="ot-ftnt-cookie-settings"> | <a href="#" onclick="Optanon.ToggleInfoDisplay()">Cookie Settings</a></span>
      </div>
    </div>
  </div>

<!-- Launch COnfiguration -->


<!-- END Launch COnfiguration --></div>

    
</div>
</div>


    
    
    

    
    
<script type="text/javascript" src="/etc.clientlibs/fortinet-blog/clientlibs/clientlib-base.min.js"></script>





    


    

    </body>
    </html>
